-
漏洞信息

-
漏洞描述

CMScout contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user-supplied input upon submission to the forum posts or private messages. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

-
时间线

公开日期:
2006-05-02

发现日期:
Unknow

利用日期:2006-05-02

解决日期:Unknow

-
解决方案

Upgrade to version 1.21 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

-
漏洞作者

-
漏洞信息

漏洞作者:
Nomenumbra is credited with the discovery of this vulnerability.

-
受影响的程序版本

CMScout CMScout 1.10
CMScout CMScout 1.21

-
不受影响的程序版本

CMScout CMScout 1.21

-
漏洞讨论

CmScout is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.

Attacker-supplied HTML and script code would be executed in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

Versions 1.10 and prior are vulnerable; other versions may also be affected.